[Seaside] More secure cookie auto-login for TF-Login
Pierce Ng
pierce at samadhiweb.com
Tue Jan 14 15:47:45 UTC 2020
Hi all,
I've implemented a more secure cookie-based auto-login in TF-Login to
replace the existing simple and insecure cookie scheme.
https://github.com/PierceNg/TF-Login/tree/password
To load, start with fresh Pharo 7 image:
"First load Seaside."
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
"Then load TF-Login."
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:password/src';
load.
Start Test Runner to run TF-Login's tests. All 78 tests should pass. The
unit tests #testLoginLogout and #testLoginThenAutomaticLogin exercise
the cookie-based auto-login functionality.
Auto-login is also implemented in the TLTestApp demo Seaside application. See attached
screenshot of the cookie stored in Chromium upon logging into TLTestApp.
The original cookie-based auto-login stores username and the SHA1-hashed password in client
cookies. This replacement implementation is based on Paragon Initiative's blog post on
"remember me" cookies.
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
Pierce
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tflogin-cookie.png
Type: image/png
Size: 33286 bytes
Desc: not available
URL: <http://lists.squeakfoundation.org/pipermail/seaside/attachments/20200114/d0e23695/attachment-0001.png>
More information about the seaside
mailing list